2017-5-8 Global Cyber Attack Reports

TOP ATTACKS AND BREACHES

•  A new phishing campaign has hit Gmail users. In the attack, malicious emails with a request to access a
  Google Doc were received by victims. Once entered, a fake Google Docs application asked for permissions to victims’ Gmail accounts, and then sent similar phishing emails to his/her contacts. The attack was blocked by Google within an hour after the first reports of it. A day after the attack, a Twitter account was used to take responsibility over it, in a tweet claiming that it wasn’t an attack but rather an academic test that went out of control. Yet, several experts have rejected its authenticity.
•  The USA TODAY owner, media company Gannett Co., has suffered a successful phishing attack which compromised 18,000 of the company’s user accounts. The attack was discovered after an unsuccessful attempt of a threat actor to use a hijacked account for a fraudulent corporate wire transfer.
•  A malicious version of the popular video transcoder HandBrake app for OSX was found in the wild. The malicious file includes a new variant of Proton malware and was found in a compromised mirror of the
  company’s download server. Security researchers have uncovered a backdoor Trojan used in an espionage campaign. The new backdoor, named Kazuar, is linked to a Russian threat group called Turla. The Trojan includes an API allowing it to get instructions from its authors.
• Security researchers have discovered a new malware family Named KONNI. The malware has been used
  over the years to attack members of official organizations such as United Nations, UNICEF and Embassies of North Korea.THREAT INTELLIGENCE REPORT
• A group of threat actors have managed to steal sensitive data such as names and photos of patients rom a Lithuanian plastic surgery clinic. The criminals are openly demanding ransom, offering to delete he data in return for 300 bitcoins, which is roughly €344,000.

VULNERABILITIES AND PATCHES

•  A new authentication bypass vulnerability (CVE-2017-5689) in Intel’s Active Management Technology has been revealed. The vulnerability has been present in Intel’s chips for seven years and allowed attackers to remotely gain administrative control over computers without entering a password.
• Two new Cross-Site Scripting vulnerabilities in Joomla! (CVE-2017-7985 and CVE-2017-7986) have been discovered by a security researcher. The vulnerabilities affect Joomla! versions 1.5.0 through 3.6.5. Successful exploitation could grant an attacker with full control of the victim’s Joomla! account.
• A new WordPress vulnerability has been discovered by a security researcher. The vulnerability (CVE-2017-8295) is present in the password reset mechanism and affects all WordPress versions.

THREAT INTELLIGENCE REPORTS

•  A new research regarding malicious JavaScript files has been published by Check Point’s researchers, showing the use of such files in malicious emails, including a recent CryptoLocker campaign.
• Check Point’s Research Team has published a new blog post describing additional variants of the OSX/DOK campaign, an OSX malware first revealed by Check Point last week.
•  Version 6 of the Cerber Ransomware has been revealed by security researchers. The variant has a new
  encryption routine and includes sophisticated anti-sandbox and anti-AV defensive features.
• According to a new report published by the FBI, US email frauds have increased by 2,370 % over the past four years earning attackers with more than $5 billion. Most of the frauds have included fake invoices of contractors or business partners.